I'm trying to write a website in PHP that allows the user to enter PHP code, and then be able to run it on my server. However, I want to be able to disable certain features (file access, database access, etc.). Basically, I want the code to run without any risk to my server, and if the code does attempt to do something dangerous, I just want the code to stop running (I don't mind if it just stops, produces an error, or carries on while ignoring the dangerous code).
Is this possible, and if so, how could I achieve this?
Thanks :)
It is possible using libraries that do some simple checking or limiting.
Take a look at a PECL (PHP Extensions) extension called RunKit_Sandbox http://php.net/manual/en/runkit.sandbox.php or PHPSandbox.
The key to look for on Google is PHP Sandbox, it will find you similar libraries.
vi php.ini
and then find disable_functions,
disable the functions as you want! like this :
disable_functions = exec,passthru,popen,proc_open,shell_exec,system,phpinfo,assert,chroot,getcwd,scandir,delete,rmdir,rename,chgrp,chmod,chown,copy,mkdir,file,file_get_contents,fputs,fwrite,dir
I actually developed a package specifically for these kinds of use cases. It can be fully configured and even used to override dangerous functions and globals.
https://github.com/fieryprophet/php-sandbox
Related
I just wanted to keep all my code libraries (PHP Classes; ex: http://libraries.com/form.php) on a single server for easy maintenance and availability. Wherever I need to use this library; I'd just include it in my code. But; I know; enabling remote URL include isn't safe at all. So I found a work around.
I'd just use eval( file_get_contents( 'http://libraries.com/form.txt' ). I use .txt instead of .php so I get PHP code as it is; not a blank file returned by server after PHP is processed.
This works; I get my PHP library/class and I can play with it on a remote location. But I don't know if it is safe or not. What could be pros and cons of this way. Or what other way you can suggest me to achieve this safely?
This:
Has all the security downsides of includeing remote files
Is massively inefficient due to all the extra HTTP requests
Means that a new release of a library gets deployed without being tested against the rest of the code in an application
Adds an extra point of failure for the application
Don't do this. It is a terrible idea.
Installation of dependencies should be a feature of your install script, not the application itself.
I'm having many websites installed on the same webserver. What i wanna do, is to be able to include a same file from different websites as
<?php include '/home/site/www/path/to/file.php'; ?>
and in the same time block functions like highlight_file and file so using the following code won't displays my files content
<?php echo hightlight_file('/home/site/www/path/to/file.php'); ?>
Any help will be appreciated.
If you want your PHP files to be runnable but be safe from being read, your best option is to encode them.
Take a look at IonCube PHP Encoder and SendGuard , they are both very popular options to protect source code.
Blocking PHP function can work, but you'll never be safe because you can forget functions (can you reall list them all? What if there's one you actually need?), or new functions could be added in the future and if you do not block them you'd be exposed.
...so using the following code won't displays my files content
Does that mean you want to allow other people to deploy code on the server which calls your code without revealing the PHP source? If so, then disabling highlight_file isn't going to help much. You also need to disable include, require, fopen, file_get_contents, the imap extension and several other things - which means they won't be able to access your code at all.
If you're letting other people whom you don't necessarily trust deploy code on your server then there are lots of things you need to do to isolate each account - it's not a trivial exercise and well beyond the scope of an answer here. But it's not really possible to allow access to a shared include file without providing access to the source code. Using encoded PHP solves some problems but introduces others. A better solution is to expose the functionality via a web or socket API (this solves the sharing problem but not the isolation problem).
I'd like to know who calls spl_autoload_register() in my application. Specifically, I'm using CakePHP, so a simple combination of find and grep in the source files should suffice, but I'm wondering if there is a way to set a breakpoint in Eclipse via XDebug, so the PHP interpreter will stop when the Cake scripts invoke that function and will show me the file and line number where this happens.
You know, I'm not able to manually set the breakpoint because the function is not defined in any PHP file, so effectively I'm asking if there is a way to trace calls to functions defined in PHP extensions (possibly in native code), even if I obviously won't have any way to step into machine code.
You might be able to do something sneaky with a creative use of override_function and/or rename_function, although it's likely to be a lot easier to do something with a grep -r of the source code (or, even better, ack)
I'm making a small file editor and the only kicker is I don't want the people who have access to it do use dangerous functions like unlink chdir exec and I'm sure there's 100 more they shoudln't be able to use.
I was thinking of just making an array of dangerous functions I don't want them to be able to use and when they save the file just str_replacing them out but the problem with that is what if I leave out several dangerous functions?
So with that I was hoping that either A) someone could give me a list of functions that people could abuse within PHP, OR B) give me a better solution to this problem.
Note I'm not the server admin so I'd only be able to use htaccess if you can help with the latter
Dave
If you ask me, any attempt to parse this out on source file level is hopeless.
Consider
$eval_code = base64_decode("ZXZhbA==");
$eval_code(base64_decode("ZXhlYygicnggLXJmIC8iKTs="));
// Will execute "eval("exec('rm -rf /'")", contains typo to prevent accidents
Just one of hundreds of workarounds to trick your parser....
The only way to block functions reliably is using the disable_functions php.ini directive. This is how many web providers disable potentially dangerous functions. Sadly, this is only accssible if you are the server administrator.
If you can't secure your system on that level, don't let your users write PHP code. It's too dangerous.
Don't let your users write executable PHP code. If they must be able to script things, give them some kind of template language that you parse.
As others have stated, I'd strongly advise against this. However, if you need a restricted environment, you can create a sandbox
I'm trying to make a web app that will manage my Mercurial repositories for me.
I want it so that when I tell it to load repository X:
Connect to a MySQL server and make sure X exists.
Check if the user is allowed to access the repository.
If above is true, get the location of X from a mysql server.
Run a hgweb cgi script (python) containing the path of the repository.
Here is the problem, I want to: take the hgweb script, modify it, and run it.
But I do not want to: take the hgweb script, modify it, write it to a file and redirect there.
I am using Apache to run the httpd process.
Ryan Ballantyne has the right answer posted (I upvoted it). The backtick operator is the way to execute a shell script.
The simplest solution is probably to modify the hgweb script so that it doesn't "contain" the path to the repository, per se. Instead, pass it as a command-line argument. This means you don't have to worry about modifying and writing the hgweb script anywhere. All you'd have to do is:
//do stuff to get location of repository from MySQL into variable $x
//run shell script
$res = `python hgweb.py $x`;
You can run shell scripts from within PHP. There are various ways to do it, and complications with some hosts not providing the proper permissions, all of which are well-documented on php.net. That said, the simplest way is to simply enclose your command in backticks. So, to unzip a file, I could say:
`unzip /path/to/file`
SO, if your python script is such that it can be run from a command-line environment (or you could modify it so to run), this would seem to be the preferred method.
As far as you question, no, you're not likely to get php to execute a modified script without writing it somewhere, whether that's a file on the disk, a virtual file mapped to ram, or something similar.
It sounds like you might be trying to pound a railroad spike with a twig. If you're to the point where you're filtering access based on user permissions stored in MySQL, have you looked at existing HG solutions to make sure there isn't something more applicable than hgweb? It's really built for doing exactly one thing well, and this is a fair bit beyond it's normal realm.
I might suggest looking into apache's native authentication as a more convenient method for controlling access to repositories, then just serve the repo without modifying the script.